Aegis Developer PortalDeveloper Search
Press ⌘K or Ctrl+K to jump through guides and API endpoint docs.
Authentication
Authentication Onboarding
One path for user apps and one for broker workloads. Both paths use short-lived tokens and request-level proof binding for sensitive operations.
User API Path
- Authenticate user with Firebase Auth.
- Derive and protect the user master key locally; never transmit plaintext key material.
- Call `MintUserApiToken` with the least access required for your integration.
- Store broker token in memory only.
- Call lease APIs with DPoP `request_proof` per request.
- Rotate and revoke on incident indicators.
{
"tenant_id": "business-default",
"requested_ttl_seconds": 600,
"pop_key_id": "key-01"
}MCP OAuth Device Path
- MCP calls `BeginMcpOauthDeviceAuthorization` and displays verification code + URL.
- User logs in through browser and approves the device authorization request.
- MCP polls `ExchangeMcpOauthDeviceAuthorization` until status `success`.
- No static API keys are required; keep returned broker token in memory only.
- Bind all lease requests with DPoP JWT or mTLS fingerprint proof.
{
"proof_type": "dpop_jwt",
"dpop_jwt": "<signed-jwt-with-htm-htu-ath-jti-iat-nonce>",
"nonce": "nonce-create-0001"
}Readiness Checklist
- All production auth calls use secure bearer authorization headers.
- Request only the permissions needed for each API flow.
- Replay checks are validated in CI (`jti` / nonce uniqueness).
- mTLS or DPoP key lifecycle is documented and monitored.
- Support playbook exists for compromised key or token response.